2 Answers
2

DNS Zone transfer is the process where a DNS server passes a copy of part of it's database (a zone) to another DNS server. It's how you can have more than one DNS server able to answer queries about a particular zone; there is a Master DNS server, and Slave DNS servers, and the slave asks he master for a copy of the records for that zone.

A basic DNS Zone Transfer Attack isn't very fancy: you just pretend you're a slave, ask the master for a copy of the zone records, and it sends you them. DNS is one of those really old-school Internet protocols that was designed when everyone on the Internet knew everyone else's name and address, and so servers trusted each other implicitly.

It's worth stopping zone transfer attacks, as a copy of your DNS zone may reveal a lot of topological information about your internal network. In particular, if someone plans to subvert your DNS, by poisoning or spoofing it, for example, they'll find having a copy of the real data very useful.

So best practice is to restrict Zone transfers. At the bare minimum, you tell the master what the IP addresses of the slaves are and not to transfer to anyone else. In more sophisticated set-ups, you sign the transfers. So the more sophisticated zone transfer attacks try and get round these controls.

By being able to query for all records from the DNS server, the attacker can easily determine which machines are accessible. The zone transfer may reveal network elements that is accessible from the Internet, but that a search engine like Google (site:.target.) does not pick up. Lesson here is that you don't want to let the bad guys have the information for free! The should have to work as hard as possible for it...

An interesting fact about DNS zone transfers is that they usually rely on TCP port 53 instead of UDP port 53. If you see TCP port 53 in use it could tell you that someone is doing a zone transfer.

To actually complete a zone transfer on a vulnerable DNS server you could issue these commands: